b"                            CTOR\n                      SPE          GE\n                 IN                     N\n             F                              E\n         O                                      R\n     E\n\n\n\n\n                                                A\n C\n\n\n\n\n                                                    L\nFI\nOF\n\n\n\n\n                                                        OFFICE OF INSPECTOR GENERAL\n\n                                                             EXPORT-IMPORT BANK\n\n                                                              of the UNITED STATES\n\n\n\n\n\nEXPLICIT COMPUTER USAGE\n\n\n\n\n                                                                           Special Report\n                                                                          August 26, 2010\n                                                                           OIG-SR-10-02\n\x0cOFFICE OF INSPECTOR GENERAL            Export-Import Bank\n                                       of the United States\n\n  August 26, 2010\n\n\n  MEMORANDUM\n\n  TO: \t             Fernanda Young, Chief Information Officer\n                    Bill Smith, Director, IT Infrastructure and Security\n\n  FROM:             \tJean Smith         \n\n                    Assistant Inspector General for Audit \n\n\n  SUBJECT: \t        Explicit Computer Usage\n\n\n  This memorandum transmits Special Report OIG-SR-10-02, Explicit Computer Usage. The\n  review was initiated by the Office of Inspector General of the Export-Import Bank of the United\n  States (Bank) to determine whether the Bank has (1) policies on information technology use and\n  disciplinary guidance and (2) controls to prevent and identify Ex-Im Bank employees accessing\n  sexually explicit material on government computers.\n\n  The report contains one suggestion. We suggested that the Chief Information Officer alert the\n  Inspector General (IG) of computer misuse involving incidents referred to management for\n  disciplinary actions. The Chief Information Officer stated that incident reports will be provided\n  to the IG after the Office of General Counsel reviews the reports. Appendix C of this report is\n  the Chief Information Officer\xe2\x80\x99s formal response to our review.\n\n  We appreciate the courtesies and cooperation provided to the auditors during the review. If you\n  have any questions, please call me at (202) 565-3944.\n\n\n\n\n  cc: \t   Audit Committee\n          Alice Albright, Senior Vice President, Chief Operations Officer\n          Michael Cushing, Senior Vice President, Resource Management\n          John Simonson, Chief Financial Officer and Audit Liaison\n\n\n\n\n                  811 Vermont Avenue, N.W. Washington, D.C. 20571\n\x0cExplicit Computer Usage                                                           OIG-SR-10-02 \n\n                                      Special Report \n\n\n\n\nEXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) performed a limited review to address an inquiry\nfrom Senator Charles E. Grassley on the viewing, downloading, and possible distribution\nof pornography at the Export-Import Bank of the United States (Ex-Im Bank). Our\nspecific objectives were to determine whether Ex-Im Bank has (1) policies on\ninformation technology use and disciplinary guidance and (2) controls to prevent and\nidentify Ex-Im Bank employees accessing sexually explicit material on government\ncomputers.\n\nEx-Im Bank has policies and annual employee training on the proper use of government\ncomputers. Additionally, Ex-Im Bank\xe2\x80\x99s Policy 752 \xe2\x80\x93 Employee Conduct and Discipline\nprovides the basic rules of discipline for Ex-Im Bank.\n\nControls are in place to block employees\xe2\x80\x99 computer from accessing sexually explicit\nmaterial, monitor computer activity, and take appropriate action to prevent further illicit\naccess and report incidents. The Office of the Chief Information Officer (OCIO)\nmaintains Internet and e-mail blockers to prevent access to prohibited sources, reviews\nactivity logs daily, and takes necessary appropriate action. When employee misuse is\nidentified, the Chief Information Officer submits a Security Incident Report for further\nprocessing by General Counsel. However, the OIG is not alerted of the incident.\n\nGeneral practice by government agencies is to report misconduct to the Inspector General\n(IG). We suggest that the Chief Information Officer includes the IG in the distribution of\nSecurity Incident Reports on computer misuse involving incidents referred to\nmanagement for disciplinary actions.\n\nThe Chief Information Officer stated that incident reports will be provided to the IG after\nthe Office of General Counsel reviews the reports. Appendix C of this report is the Chief\nInformation Officer\xe2\x80\x99s formal response to our review.\n\n\n\n\n                                              i               Office of Inspector General\n                                                                   Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                                                   OIG-SR-10-02 \n\n                                                    Special Report \n\n\n\n\n                                             TABLE OF CONTENTS\n \n\n\nEXECUTIVE SUMMARY ................................................................................................. i\n \n\n\nI.       BACKGROUND .................................................................................................... 1\n                  \n\n\nII.      OBJECTIVES ......................................................................................................... 1\n         \n\n\nIII.     SCOPE AND METHODOLOGY .......................................................................... 1\n                         \n\n\nIV.      FINDINGS AND SUGGESTION .......................................................................... 2 \n\n         A. \t ADEQUATE POLICIES ON INFORMATION TECHNOLOGY USE AND \n\n              DISCIPLINARY GUIDANCE EXIST........................................................... 2\n \n\n\n         B. \t ADEQUATE CONTROLS ARE IN PLACE TO MANAGE ACCESS OF \n\n              SEXUALLY EXPLICIT MATERIAL ........................................................... 4 \n\n              Suggestion 1.................................................................................................... 6 \n\n              Management Response ................................................................................... 6\n \n\n\nAPPENDIX A \xe2\x80\x93 STANDARDS OF ETHICAL CONDUCT ............................................ 7\n \n\n\nAPPENDIX B \xe2\x80\x93 DOUGLAS FACTORS ........................................................................... 9\n \n\n\nAPPENDIX C \xe2\x80\x93 MANAGEMENT RESPONSE ............................................................. 10 \n\n\n\n\n\n                                                             ii\t                     Office of Inspector General\n                                                                                           Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                         OIG-SR-10-02 \n\n                                     Special Report \n\n\n\n\nI.     BACKGROUND\n\nUse of government property, 5 Code of Federal Regulations, part 2635.704 (a) states:\n\n       An employee has a duty to protect and conserve Government property and shall\n       not use such property, or allow its use, for other than authorized purposes.\n\n       Government property includes any form of real or personal property in which the\n       Government has an ownership, leasehold, or other property interest as well as any\n       right or other intangible interest that is purchased with Government funds,\n       including the services of contractor personnel. The term includes office supplies,\n       telephone and other telecommunications equipment and services, the Government\n       mails, automated data processing capabilities, printing and reproduction facilities,\n       Government records, and Government vehicles.\n\n\n\nII.    OBJECTIVES\n\nThe objectives of this review were to determine whether Ex-Im Bank has (1) policies on\ninformation technology use and disciplinary guidance and (2) controls to prevent and\nidentify Ex-Im Bank employees accessing sexually explicit material on government\ncomputers.\n\n\n\nIII.   SCOPE AND METHODOLOGY\n\nWe interviewed Ex-Im Bank\xe2\x80\x99s Director, Information Technology (IT) Infrastructure and\nSecurity in the Office of the Chief Information Officer, and we reviewed computer\nactivity logs. We also reviewed applicable procedures and information available on the\nEx-Im Bank\xe2\x80\x99s internal website.\n\nOver a two day period during our fieldwork, we conducted an unannounced test on Ex-\nIm Bank\xe2\x80\x99s controls of preventing and identifying pornography access on government\ncomputers. The test consisted of attempting to access and retrieve pornographic material\non the Internet and e-mails. Subsequent to this test, we reviewed how promptly Ex-Im\nBank responded to our test activities.\n\nWe conducted our fieldwork from August 2, 2010 to August 10, 2010.\n\nWe performed a limited review to address an inquiry from Senator Charles E. Grassley\nregarding employees\xe2\x80\x99 use of Ex-Im Bank computers to obtain pornography.\n                                            1                Office of Inspector General\n                                                                 Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                             OIG-SR-10-02 \n\n                                        Special Report \n\n\n\n\nIV.\t FINDINGS AND SUGGESTION\n\n\nA.\t      ADEQUATE POLICIES ON INFORMATION TECHNOLOGY USE\n         AND DISCIPLINARY GUIDANCE EXIST\n\nEx-Im Bank issued adequate policies to inform users of the proper use of its computers\nand potential disciplinary actions for misuse. Additionally, as part of the annual IT\nsecurity training, computer users are reminded that use of Ex-Im Bank computers\nprohibit accessing sexually explicit or sexually orientated material. Annual IT security\ntraining requires the participants to review and accept Ex-Im Bank\xe2\x80\x99s Rules of Behavior.\n\nEx-Im Bank established policies titled Rules of Behavior and \xe2\x80\x9cLimited Personal Use\xe2\x80\x9d of\nGovernment Office Equipment Including Information Technology to advise users that use\nof computers, e-mail, the Internet, and electronic information, must be in a professional,\nappropriate, ethical, and lawful manner.\n\nThe Rules of Behavior states that employees and contractors must:\n\n      \xef\x82\xb7\t \t Adhere to the \xe2\x80\x9cLimited Personal Use\xe2\x80\x9d of Government Office Equipment \n\n           Including Information Technology. \n\n\n      \xef\x82\xb7\t \t Adhere to the established standards of conduct as defined in Ex-Im Bank Policy\n           752 \xe2\x80\x93 Employee Conduct and Discipline and Standards of Ethical Conduct for\n           Employees of the Executive Branch.\n\nThe Rules of Behavior further states:\n\n         Failure to conform one\xe2\x80\x99s conduct to these rules may lead to adverse action,\n         including but not limited to, suspension of access privileges, reprimand,\n         suspension, or termination from the federal service, and/or civil and/or criminal\n         penalties. All users have no right to or expectation of privacy while using any Ex-Im\n         Bank IT system at any time, including accessing the Internet, using e-mail, or limited\n         personal use.\n\n\xe2\x80\x9cLimited Personal Use\xe2\x80\x9d of Government Office Equipment Including Information\nTechnology provides a list of inappropriate personal uses. \xe2\x80\x9cThe creation, download,\nviewing, storage, copying, or transmission of sexually explicit or sexually oriented materials\xe2\x80\x9d\nis included in the policy\xe2\x80\x99s Inappropriate Personal Uses list.\n\nFor disciplinary guidance, Ex-Im Bank established Policy 752 \xe2\x80\x93 Employee Conduct and\nDiscipline. This Policy contains Standards of Ethical Conduct for Employees (Appendix\n\n                                               2\t               Office of Inspector General\n                                                                     Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                            OIG-SR-10-02 \n\n                                       Special Report \n\n\n\nA), Douglas Factors 1 (Appendix B), and a Table of Offenses and Suggested Disciplinary\nPenalties. Disciplinary penalties listed in Policy 752 are provided as guidance. In each\ncase of formal discipline, the supervisor must coordinate with the Office of Human\nResources before proposing and deciding the appropriate action. All proposed\nsuspensions and removals must be coordinated with the Assistant General Counsel for\nAdministration in the Office of the General Counsel (OGC). Present below is the\nsuggested penalty for conducting explicit computer use.\n\n         Nature of Offense         First Offense       Second Offense              Third Offense\n       Misuse of the            Written Reprimand      14-Day Suspension           Removal\n       Bank\xe2\x80\x99s computer          to Removal             to Removal\n       systems, Internet, or\n       electronic mail\n\nAlthough Ex-Im Bank alerted employees of prohibited computer use, over the last two\nyears the Director, IT Infrastructure and Security Office, identified two employees who\naccessed pornography on Ex-Im Bank computers and alerted the OGC. While the OGC\nwas processing the cases, these employees voluntarily left the federal government.\n\n\n\n\n1\n In Douglas v. Veterans Administration (1981), the Merit Systems Protection Board identified 12\nrelevant factors that agency management needs to consider and weigh in deciding an appropriate\ndisciplinary penalty.\n                                               3                Office of Inspector General\n                                                                    Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                         OIG-SR-10-02 \n\n                                      Special Report \n\n\n\n\n\nB.\t    ADEQUATE CONTROLS ARE IN PLACE TO MANAGE ACCESS\n       OF SEXUALLY EXPLICIT MATERIAL\n\nEx-Im Bank has adequate controls in place to block employees\xe2\x80\x99 computer from accessing\nsexually explicit material, monitor computer activity, and take appropriate action to\nprevent further illicit access and report incidents. However, the Inspector General (IG)\nhas not been traditionally alerted of these incidents. General practice by government\nagencies is to report misconduct to the IG. While Ex-Im Bank\xe2\x80\x99s Charter directs General\nCounsel to ensure appropriate legal counsel for advice on, and oversight of, issues\nrelating to personnel matters, alerting the IG of computer misuse will assist the IG in\npreventing and detecting fraud and abuse in programs and operations as required under\nthe Inspector General Act of 1978, as amended.\n\nTo test the effectiveness of Ex-Im Bank\xe2\x80\x99s controls, we attempted to browse the Internet\nand download pornographic material using Ex-Im Bank computers. We randomly used\nweb addresses associated with pornography and search engines \xe2\x80\x93 using words and phases\nnormally associated with pornography \xe2\x80\x93 for links and addresses to connect to\npornography sites. For the most part, all attempts were blocked.\n\nOn the third day that the above controls testing began, the Office of the Chief Information\nOfficer (OCIO) IT Infrastructure and Security Office Director met with the OIG\xe2\x80\x99s\nAssistant Inspector General for Audit (AIGA) to report logged activity by OIG staff to\naccess pornography. This Director presented the AIGA with a Security Incident Report\nand supporting documentation. The AIGA advised the Director that the OIG staff\nactivity was a test of Ex-Im Bank controls. Also, because the test resulted in reaching\nthree pornography sites, the AIGA provided the three accessed sites to the Director who\nimmediately blocked them for future access on Ex-Im Bank computers.\n\nRecognizing that it is impossible to totally block pornography because new sites are\nconstantly created and some sites contain a combination of pornography and non-\npornography, our test confirmed that Ex-Im Bank has adequate controls in place to\nmanage access to sexually explicit material.\n\nOur discussion of Ex-Im Bank\xe2\x80\x99s controls is presented below.\n\nBlockers\nEx-Im Bank significantly strengthened its IT capabilities to block inappropriate Internet\nsites and e-mails since 2006. Although it took an extensive amount of time to implement\nthe current systems, in July 2009 the Software/Hardware Intrusion Detection Systems\n(IDS) and Intrusion Prevention Systems (IPS) were fully implemented.\n\n\n\n                                            4\t               Office of Inspector General\n                                                                 Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                                      OIG-SR-10-02 \n\n                                             Special Report \n\n\n\nFull implementation of this hardware/software took several years primarily due to the\nneed to upgrade IT infrastructure and enhance the power system. Because installation\nwas conducted one floor at a time, some Ex-Im Bank computer users had blocking\nsoftware installed as far back as three years ago, while others were not blocked until\napproximately one year ago.\n\nEx-Im Bank\xe2\x80\x99s OCIO identified sites, words, and numerous categories for its IDS and IPS\nto either monitor or block. Prohibited categories which are either monitored by OCIO or\nautomatically blocked altogether are sites that include materials which are: sexually\nexplicit, violent, hate, gambling and approximately 48 other categories.\n\nThe site blocking hardware/software is updated every five minutes via subscription-based\nservices. It is also manually updated by the IT Infrastructure and Security Office when a\nprohibited site is identified outside of the subscribed service.\n\nMonitoring\n\nSecurity Engineers in the IT Infrastructure and Security Office review Internet browsing\nlogs daily. The logs are analyzed to see if Ex-Im Bank users are excessively using\ncomputer bandwidth or attempting to visit blocked, malware 2 , or questionable sites.\n\nE-mail attachments are also monitored via IDS software. This filtering software works\nby comparing known sexually explicit key words and other known spamware/virus\nnames to the e-mail attachment(s).\n\nWhen questionable activity is identified by Security Engineers and others, such as Ex-Im\nBank\xe2\x80\x99s Helpdesk staff, the IT Infrastructure and Security Office Director will research\nthe activity to determine the appropriate action.\n\nAction\n\nResearch revealing prohibited activity and/or potential harm to Ex-Im Bank\xe2\x80\x99s IT systems\nis summarized and discussed at the daily IT Infrastructure and Security Office meeting.\nFor a newly identified site which may be harmful or prohibited, the OCIO will add the\nsite to the IPS systems. For prohibited activity conducted by an employee or contractor,\nthe IT Infrastructure and Security Office Director will issue a report and supporting\nevidence of the behavior to the Chief Information Officer (CIO). The CIO will then\nforward the report and evidence to the OGC for a determination of the behavior and\nappropriate disciplinary action.\n\n\n\n\n2\n  Malware is short for malicious software. It is software designed to infiltrate a computer system without\nthe owner\xe2\x80\x99s informed consent.\n                                                     5                   Office of Inspector General\n                                                                              Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                         OIG-SR-10-02 \n\n                                      Special Report \n\n\n\nTo improve the reporting of computer misuse, the IT Infrastructure and Security Office\nDirector recently created a standardized form \xe2\x80\x93 Security Incident Report \xe2\x80\x93 based on\nlessons learned from reporting previous incidents.\n\nOver the past two years, the IT Infrastructure and Security Office Director reported\nincidents on five employees.\n\n   \xef\x82\xb7   Three involved malware.\n   \xef\x82\xb7   Two involved accessing pornography.\n\n\n\nSuggestion 1\nThe CIO should include the IG in the distribution of Security Incident Reports on\ncomputer misuse involving incidents referred to management for disciplinary actions.\n\n\nManagement Response\nThe CIO stated that management concurred with the intent of the recommendation. The\ncurrent procedure already provides that OCIO forward these incident reports to the OGC\nfor their review. After the OGC review, the CIO will distribute incident reports to the IG.\n\n\n\n\n                                            6                Office of Inspector General\n                                                                 Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                          OIG-SR-10-02 \n\n                                      Special Report \n\n\n\n\nAPPENDIX A \xe2\x80\x93 STANDARDS OF ETHICAL CONDUCT\n\nPART 2635 - STANDARDS OF ETHICAL CONDUCT FOR EMPLOYEES OF THE\nEXECUTIVE BRANCH SUBPART A - GENERAL PROVISIONS\n\n\xc2\xa7 2635.101 Basic obligation of public service.\n\n(a) Public service is a public trust. Each employee has a responsibility to the United\nStates Government and its citizens to place loyalty to the Constitution, laws and ethical\nprinciples above private gain. To ensure that every citizen can have complete confidence\nin the integrity of the Federal Government, each employee shall respect and adhere to the\nprinciples of ethical conduct set forth in this section, as well as the implementing\nstandards contained in this part and in supplemental agency regulations.\n\n(b) General principles. The following general principles apply to every employee and\nmay form the basis for the standards contained in this part. Where a situation is not\ncovered by the standards set forth in this part, employees shall apply the principles set\nforth in this section in determining whether their conduct is proper.\n(1) Public service is a public trust, requiring employees to place loyalty to the\nConstitution, the laws and ethical principles above private gain.\n(2) Employees shall not hold financial interests that conflict with the conscientious\nperformance of duty.\n(3) Employees shall not engage in financial transactions using nonpublic Government\ninformation or allow the improper use of such information to further any private interest.\n(4) An employee shall not, except as permitted by subpart B of this part, solicit or accept\nany gift or other item of monetary value from any person or entity seeking official action\nfrom, doing business with, or conducting activities regulated by the employee's agency,\nor whose interests may be substantially affected by the performance or nonperformance\nof the employee's duties.\n(5) Employees shall put forth honest effort in the performance of their duties.\n(6) Employees shall not knowingly make unauthorized commitments or promises of any\nkind purporting to bind the Government.\n(7) Employees shall not use public office for private gain.\n(8) Employees shall act impartially and not give preferential treatment to any\norganization or individual.\n(9) Employees shall protect and conserve Federal property and shall not use it for other\nthan authorized activities.\n(10) Employees shall not engage in outside employment or activities, including seeking\nor negotiating for employment, that conflict with official Government duties and\nresponsibilities.\n(11) Employees shall disclose waste, fraud, abuse, and corruption to appropriate\nauthorities.\n\n                                             7                Office of Inspector General\n                                                                  Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                            OIG-SR-10-02 \n\n                                       Special Report \n\n\n\n(12) Employees shall satisfy in good faith their obligations as citizens, including all just\nfinancial obligations, especially those--such as Federal, State, or local taxes--that are\nimposed by law.\n(13) Employees shall adhere to all laws and regulations that provide equal opportunity for\nall Americans regardless of race, color, religion, sex, national origin, age, or handicap.\n(14) Employees shall endeavor to avoid any actions creating the appearance that they are\nviolating the law or the ethical standards set forth in this part. Whether particular\ncircumstances create an appearance that the law or these standards have been violated\nshall be determined from the perspective of a reasonable person with knowledge of the\nrelevant facts.\n\n(c) Related statutes. In addition to the standards of ethical conduct set forth in this part,\nthere are conflict of interest statutes that prohibit certain conduct. Criminal conflict of\ninterest statutes of general applicability to all employees, 18 U.S.C. 201, 203, 205, 208,\nand 209, are summarized in the appropriate subparts of this part and must be taken into\nconsideration in determining whether conduct is proper. Citations to other generally\napplicable statutes relating to employee conduct are set forth in subpart I and employees\nare further cautioned that there may be additional statutory and regulatory restrictions\napplicable to them generally or as employees of their specific agencies. Because an\nemployee is considered to be on notice of the requirements of any statute, an employee\nshould not rely upon any description or synopsis of a statutory restriction, but should\nrefer to the statute itself and obtain the advice of an agency ethics official as needed.\n\n\n\n\n                                              8                 Office of Inspector General\n                                                                    Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                                         OIG-SR-10-02 \n\n                                     Special Report \n\n\n\n\nAPPENDIX B \xe2\x80\x93 DOUGLAS FACTORS\n\nIn Douglas v. Veterans Administration (1981), the Merit Systems Protection Board\nidentified 12 relevant factors that agency management needs to consider and weigh in\ndeciding an appropriate disciplinary penalty. The 12 Douglas Factors are:\n\n   1.\t The nature and seriousness of the offense and its relation to the employee\xe2\x80\x99s duties,\n       position, and responsibilities, including whether the offense was intentional or\n       technical or inadvertent, or was committed maliciously or for gain, or was\n       frequently repeated;\n   2.\t The employee\xe2\x80\x99s job level and type of employment, including supervisory or\n       fiduciary role, contacts with the public, and prominence of the position;\n   3.\t The employee\xe2\x80\x99s past disciplinary record;\n   4.\t The employee\xe2\x80\x99s past work record, including length of service, performance on the\n       job, ability to get along with fellow workers, and dependability;\n   5.\t The effect of the offense upon the employee\xe2\x80\x99s ability to perform at a satisfactory\n       level and its effect upon supervisors\xe2\x80\x99 confidence in the employee\xe2\x80\x99s ability to\n       perform assigned duties;\n   6.\t Consistency of the penalty with those imposed upon other employees for the same\n       or similar offenses;\n   7.\t Consistency of the penalty with the applicable agency table of penalties (which\n       are not to be applied mechanically so that other factors are ignored);\n   8.\t The notoriety of the offense or its impact upon the reputation of the agency;\n   9.\t The clarity with which the employee was on notice of any rules that were violated\n       in committing the offense, or had been warned about the conduct in question;\n   10. The potential for employee\xe2\x80\x99s rehabilitation;\n   11. Mitigating circumstances surrounding the offense, such as unusual job tensions,\n       personality problems, mental impairment, harassment, or bad faith, malice or\n       provocation on the part of others involved in the matter; and\n   12. The adequacy and effectiveness of alternative sanctions to deter such conduct in\n       the future by the employee or others.\n\n\n\n\n                                            9\t               Office of Inspector General\n                                                                 Export-Import Bank of the United States\n\x0cExplicit Computer Usage                                          OIG-SR-10-02 \n\n                            Special Report \n\n\n\n\nAPPENDIX C \xe2\x80\x93 MANAGEMENT RESPONSE\n \n\n\n\n\n\n                          SEE NEXT PAGE \n\n\n\n\n\n                                  10           Office of Inspector General\n                                                  Export-Import Bank of the United States\n\x0c                               EXPORT-IMPORT BANK\n                                of the UNITED STATES\n\n\nAugust 26, 2009\n\n\nJean Smith\nAssistant Inspector General for Audit\nOffice of Inspector General\nExport-Import Bank of the United States\n\nRef: Explicit Computer Usage - August 19, 2010, OIG-SR-10-xx.\n\n\nDear Jean:\n\n      Thank you for the opportunity to review and comment on the IG special report\n \xe2\x80\x9cExplicit Computer Usage\xe2\x80\x9d dated August 19, 2010, number OIG-SR-10-xx.\n\n       We agree with both findings and concur with the suggestion (with a minor \n\n revision proposed below)\n\n\n        Finding A: Adequate policies on information technology use and disciplinary\n guidance exist. We are in agreement with your finding that the Ex-Im Bank has\n adequate controls in place to manage access to pornographic/sexually explicit web\n sites.\n\n      Ex-Im Bank has policies, procedures and controls in place to ensure staff and \n\n contractors have a safe computing environment at work. \n\n\n        Ex-Im Bank has policies covering \xe2\x80\x9cRules of Behavior for Users of Export Import\n Bank Information Systems\xe2\x80\x9d clearly delineating responsibilities and expected behavior\n of all individuals with access to the systems; and \xe2\x80\x9cLimited Personal Use of\n Government Office Equipment Policy,\xe2\x80\x9d establishing privileges and responsibilities of\n Ex-Im Bank employees and contractors with regard to acceptable personal use of\n Government office equipment that does not interfere with Ex-Im Bank\xe2\x80\x99s mission or\n operations and does not violate the Standards of Ethical Conduct for Employees of the\n Executive Branch, 5 C.F.R. \xc2\xa7 2635. These policies follow NIST and the CIO Council\n Government-wide guidelines.\n\x0c      The Ex-Im Bank performs mandatory annual IT Security and Privacy Awareness\nTraining. This training reinforces policy defined by the Limited Use Policy, Rules of\nBehavior, Sensitive Information Policy, and the Remote Access Policy and other\npolicies as appropriate. The Office of the Chief Information Officer (OCIO) also\nconducts an occasional IT security expo in order to reinforce awareness of the IT\nsecurity, rules of behavior and privacy policies of Ex-Im Bank.\n\n       Finding B: Adequate controls are in place to manage access of sexually\nexplicit material The OCIO has also implemented comprehensive Internet and e-mail\nblocking solutions to web sites and email with: 1) inappropriate content, 2) content that\nis likely to present IT security issues, and 3) content that presents network capacity\nissues.\n\n      Currently, no explicit regulation mandates federal agencies to actively implement\nIT solutions for blocking access to inappropriate web sites in the workplace. The Bank\nhas proactively implemented industry best practice capabilities in that area \xe2\x80\x93 solutions\nprovided by vendors such as CISCO. The site blocking hardware and software is\nupdated every five minutes via subscription-based services. It is also manually updated\ninternally to handle exceptions (adding or deleting sites that are not properly\ncategorized or blocking sites with known security issues).\n\n      Logs are monitored daily and incidents are evaluated and are generally\ndisseminated using our incident reporting procedure. The procedure states that the CIO\nwill forward the incident report and accompanying evidence to the Office of General\nCounsel (OGC) for a determination of the behavior and appropriate disciplinary action.\n\n      Suggestion 1: The CIO should include the IG in the distribution of Security\nIncident Reports on computer misuse involving incidents referred to management\nfor disciplinary actions. We concur with the intent of the recommendation. The\ncurrent procedure already provides that OCIO forward these incident reports to the\nOffice of General Counsel (OGC) for their review. After the OGC review, the CIO will\ndistribute incident reports to the IG.\n\nSincerely,\n\n\n\nFernanda Young\nChief Information Officer\n\n\n\n\n                                          2\n\n\x0cCc:\n Michael Cushing, Senior Vice President, Resource management\n Jonathan Cordone, Senior Vice President and General Council\n John Simonson, Senior Vice President and Chief Financial Officer\n Alice Albright, Executive Vice president and Chief Operating Officer\n Diane Farrell, Member of the Board of Directors\n Bijan R. Kian, Member of the Board of Directors\n\n\n\n\n                                        3\n\n\x0cOffice of Inspector General\nExport-Import Bank of the United States\n811 Vermont Avenue, NW\nWashington, DC 20571\n202-565-3908\nwww.exim.gov/oig\n\x0c"